[177420] in North American Network Operators' Group
Re: HTTPS redirects to HTTP for monitoring
daemon@ATHENA.MIT.EDU (Kelly Setzer)
Sun Jan 18 15:05:28 2015
X-Original-To: nanog@nanog.org
From: Kelly Setzer <Kelly.Setzer@wnco.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Sun, 18 Jan 2015 20:05:18 +0000
In-Reply-To: <20150118.183119.1694097476080201717.wwaites@tardis.ed.ac.uk>
Errors-To: nanog-bounces@nanog.org
I don't know if you're referring to HSTS. If not, it's worth noting in
this thread. As I understand HSTS, session decryption is still possible
on sites that send the 'Strict-Transport-Security' header. See:
https://tools.ietf.org/html/rfc6797
I suspect it's only a matter of time before browsers become suspicious by
default, requiring that HTTPS responses be signed and requiring that SSL
certificates come from trusted sources. In other words, HSTS is the next
step in a long-running arms race. It will not be the last. See this 199=
7
article for a taste: http://www.apacheweek.com/features/ssl
=09
=09Money quote: "The US Government imposes export restrictions on arms, i=
n a
set of rules called ITAR"
All of this points to the deficiency of the existing commercial
certificate authority system. The fact that organizations can easily
purchase software specifically designed to subvert encrypted communicatio=
n
channels is proof that HTTPS security is an illusion.
Kelly
On 1/18/15, 12:31 PM, "William Waites" <wwaites@tardis.ed.ac.uk> wrote:
>On 18 Jan 2015 18:15:09 -0000, "John Levine" <johnl@iecc.com> said:
>
> > I expect your users would fire you when they found you'd blocked
> > access to Google.
>
>Doesn't goog do certificate pinning anyways, at least in their web
>browser?
******* CONFIDENTIALITY NOTICE *******=0D
=0D
This e-mail message and all attachments transmitted with it may contain l=
egally privileged and confidential information intended solely for the us=
e of the addressee. If the reader of this message is not the intended rec=
ipient, you are hereby notified that any reading, dissemination, distribu=
tion, copying, or other use of this message or its attachments is strictl=
y prohibited. If you have received this message in error, please notify t=
he sender immediately and delete this message from your system. Thank you=
=2E=0D
